Originally posted by Sy Phul on The Andera Blog. Follow us on twitter @AnderaInc.
Before I joined Andera as the Director of Information Security, I led a team of 30+ security experts for a very well-known security company for over seven years, and before that I worked as a security consultant to two other firms. I was a jack of all trades in this space; I did audits and assessments, I advised on system design and procedural best practices as a security architect, and I participated in security incident response teams.
I also did some ethical hacking. There has been some debate over the appropriateness of the term “ethical hacker,” and it’s also possible to become a certified ethical hacker, but in this case I mean specifically that I was contracted by a bank to identify weaknesses in their security system by trying to steal personal data.
So, how did I do? The following is the true story of the steps I took in my attempt to “steal” personal data from the bank:
Step 1: Reconnaissance
First, I gathered information about the bank. Most of the information I needed was simple information available on the corporate website or easily obtainable from Google searches. I also listened to recorded messages from corporate phone numbers, and I checked out the branch I planned to infiltrate.
Step 2: Disguise
Next, I picked my disguise. Mine was simple; I pretended to be an IT guy. I found a badge that looked similar to those worn by bank personnel, and put it on so that it only showed the blank side. No elaborate forgery required; the information on the badge was blatantly false, but nine times out of ten, no one is going to stop you and ask you to flip your badge.
Step 3: Target
I targeted the woman who sat at the front desk. First, I established trust by casually dropping the name of the bank CTO and of a couple of technology systems the bank employees used, pieces of information that I had learned during my reconnaissance. Then I created fear; I told her that there was virus on the bank network and I that I had been asked to inspect her machine; she could be at risk. She handed her computer over.
Step 4: Infiltration
Once I had gotten past the front desk successfully, I became trusted personnel. I accessed computers with sensitive customer information, including ACH information. I accessed the Chief Information Security Officer’s computer… Ultimate ownage!
So what can you do?
As you can see, I was able to infiltrate the bank with very little reliance on what most people think of as “hacking.” Social engineering is one of the most common types of hacking. The email phishing scams we’ve all experienced (“Please help, I need you to help me transfer $$ overseas…”) are an example of social engineering, but for companies with sensitive data, the type of social engineering that I used to penetrate the bank is also common. Hackers who use social engineering exploit our trust to gain access to sensitive data. The weakest link is often human.
So what can your institution do? Education, education, education. Let your employees know about the types of threats that are out there. Establish security procedures that all employees are expected to follow. Tell them to be diligent, and to report security violations and incidents ASAP. You don’t have to go as far as The Onion suggests, but you can definitely take steps to protect your institution from hackers like me!